CVE-2014-8143 — Insufficient Verification of Data Authenticity in Samba

CWE-264 CWE-345 — Insufficient Verification of Data Authenticity7 documents7 sources

Severity

8.5HIGHNVD

EPSS

4.9%

top 10.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Samba Debian Samba

Timeline

PublishedJan 17

Latest updateMay 17

Description

Samba 4.0.x before 4.0.24, 4.1.x before 4.1.16, and 4.2.x before 4.2rc4, when an Active Directory Domain Controller (AD DC) is configured, allows remote authenticated users to set the LDB userAccountControl UF_SERVER_TRUST_ACCOUNT bit, and consequently gain privileges, by leveraging delegation of authority for user-account or computer-account creation.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 6.8 | Impact: 10.0

Affected Packages3 packages

▶debiandebian/samba< samba 2:4.1.17+dfsg-1 (bookworm)

▶Debiansamba/samba< 2:4.1.17+dfsg-1+3

▶NVDsamba/samba41 versions+40

Patches

Patch: download.samba.org ↗Patch: download.samba.org ↗Patch: www.samba.org ↗

🔴Vulnerability Details

GHSA

GHSA-g37q-w784-mfjr: Samba 4↗2022-05-17

▶

OSV

CVE-2014-8143: Samba 4↗2015-01-17

▶

📋Vendor Advisories

Ubuntu

Samba vulnerability↗2015-01-22

▶

Red Hat

samba: Privileges elevation to Active Directory Domain Controller↗2015-01-15

▶

Debian

CVE-2014-8143: samba - Samba 4.0.x before 4.0.24, 4.1.x before 4.1.16, and 4.2.x before 4.2rc4, when an...↗2014

▶

💬Community

Bugzilla

CVE-2014-8143 samba: Privileges elevation to Active Directory Domain Controller↗2015-01-13

▶